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The optimal mean photon number (fj.) for quantum cryptography is the average pho- 
ton number per transmitted pulse that results in the highest delivery rate of distilled 
cryptographic key bits, given a specific system scenario and set of assumptions about 
Eve's capabilities. Although many experimental systems have employed a mean photon 
number (fj.) of 0.1 in practice, several research teams have pointed out that this value 
is somewhat arbitrary. In fact, various optimal values for fj, have been described in the 
literature. 

In this paper we offer a detailed analytic model for an experimental, fiber-based 
quantum cryptographic system, and an explicit set of reasonable assumptions about 
Eve's current technical capabilities. We explicitly model total system behavior ranging 
from physical effects to the results of quantum cryptographic protocols such as error 
correction and privacy amplification. We then derive the optimal photon number (fi) for 
this system in a range of scenarios. One interesting result is that fs! 1.1 is optimal for 
a wide range of realistic, fiber-based QKD systems; in fact, it provides nearly 10 times 
the distilled throughput of systems that employ a more conventional p, = 0.1, without 
any adverse affect on system security, as judged against a set of reasonable assumptions 
about Eve's current capabilities. 
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1 Background and Problem Statement 

It now seems likely that Quantum Key Distribution (QKD) techniques can provide practical 
building blocks for highly secure networks, and in fact may offer valuable cryptographic ser- 
vices, such as unbounded secrecy lifetimes, that can be difficult to achieve by other techniques. 
Accordingly, a number of commercial and research organizations have begun to build and op- 
erate complete QKD systems. As quantum cryptography has started the transition from 
laboratory demonstrations to working systems in the field, questions of operating efficiency 
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and realistic levels of security have taken on a heightened importance." 

A wide range of techniques has been proposed for quantum cryptography, and many have 
been experimentally demonstrated; see Gisin et al. for a superb overview. However, in 
realistic settings, such as operation through the atmosphere or through tens of kilometers 
of telecommunications fiber, even the most efficient of these techniques currently provide 
no more than roughly 1,000 distilled^bits per second, depending on channel losses, choice 
of eavesdropping threat model, and a large number of technical parameters. While this 
key generation rate is more than sufficient for rapid rekeying of conventional cryptographic 
algorithms — for example it allows rekeying of an AES algorithm with fresh 256-bit keys 4 times 
per second — a faster key generation rate would allow a large number of cryptographically 
protected traffic flows to be rekeyed at a given rate. In addition, it is far too low for most uses 
of one-time pads. An important practical question, therefore, is how to increase this rate. 

A number of different approaches may contribute to improved distilled key generation 
rates: detector efficiencies may be improved, e.g., by novel forms of detectors; pulse rates 
may be increased; and entropy estimates may be refined so that less privacy amplification 
is required for a given observed level of noise. Promising efforts are underway in all these 
areas (e.g. [2131^). This paper explores yet another avenue to increasing the key generation 
rate, namely, by finding an optimal value for the mean number of photons emitted in each 
pulse, i.e., that which maximizes the distilled key generation rate for a given scenario and set 
of eavesdropping assumptions. This mean photon number is often designated /i in the QKD 
literature. 

This paper provides a detailed, quantitative analysis of the interaction between yu, channel 
attenuation, and privacy-amplified key generation rates, and compares the results with prior 
research on optimal mean photon number. We specifically consider a phase-modulated system, 
with attenuated laser source and cooled InGaAs APDs, designed for telecommunications fiber; 
however the results can be readily generalized to other systems. 

One interesting result is that /i « 1.1 is optimal for a wide range of realistic, fiber-based 
QKD systems under a reasonable eavesdropping threat model; in fact, it provides nearly 10 
times the distilled throughput of systems that employ a more conventional jj. = 0.1, without 
any adverse affect on system security. For many steeped in the field, it may seem counter- 
intuitive — even downright false — that a mean photon number as large as 1, let alone greater 
than 1, may be possible without sacrificing all security. However, as Prof. Gisin et al. have 
noted in their magisterial survey of quantum cryptography pP, "multiphoton pulses do not 
necessarily constitute a threat to key security, but they limit the key creation rate because 
they imply that more bits must be discarded during key distillation." This paper may be 
viewed as an elaboration, and preliminary quantification, of that important remark. 

2 Review of the Current Art 

Although most practitioners of quantum cryptography have now converged upon a mean 
photon number {fx) of 0.1 as a good benchmark value, "contrary to a frequent misconception, 
there is nothing special about a /i value of 0.1, even though it has been selected by most 

"The opinions expressed in this article are those of the authors alone, and do not necessarily reflect the views 
of the United States Department of Defense, DARPA, or the United States Air Force. 

''In our terminology, a "distilled" key has been sifted, error corrected, and privacy amplified, and is thus ready 
to use as key material. 
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experimentalists. The optimal value — i.e., the value that yields the highest key exchange rate 
after distillation — depends on the optical losses in the channel and on assumptions about 
Eve's technology." ^ In fact, in recent years, at least three leading research teams have 
carefully investigated the optimal mean photon rate, and have come to differing conclusions. 
Accordingly, this section recapitulates both the widespread rationale for ^ = 0.1, and the 
previous research on the relationship of fi to distilled key rate. 

As will be seen, for some years the QKD community has held, in effect, an ongoing 
discussion of the optimal mean photon number for various contexts, but generally as side 
comments within papers devoted to other topics. As a result, it has been difficult to find a 
detailed and explicit linkage between eavesdropping threat models and optimal mean photon 
numbers. 

The origin of the value 0.1 for the mean photon number was the very first experimental 
realization of QKD by Bennett et al. in 1992 [H]. This early work analyzed various kinds 
of attacks on the small number of multi-photon pulses produced, including one version of 
unambiguous state discrimination, and concluded that unambiguous state discrimination was 
impossible for such a small /i without significantly biasing the detector statistics at Bob. Later 
researchers have shown that this conclusion is incorrect 5^. However, the number of bits that 
Eve can discover is very small, and Bennett et al. left a significant safety margin in their 
estimate. The attacks they considered feasible involved intercepting one photon from each 
multi-photon pulse and measuring it. For each such pulse that reaches Bob, they assume Eve 
gains one bit of information, thus implicitly allowing Eve to have a quantum memory and to 
measure the photon only when its basis is disclosed. 

Many other experimental systems, including ours, borrowed from |S] the value of 0.1 for 
/i as well as the estimate of Eve's advantage from photon-number splitting (PNS) attacks. 
Two experimental teams, from Los Alamos and IBM Almaden 0, then calculated optimal 
numerical values for /i in their systems, based on this estimate. For the free-space system 
used by Los Alamos, this value of fi was 0.4, while for IBM's "plug-and-play" fiber-based 
system it was 0.3. The IBM Almaden group also examined the throughput vs. mean photon 
number for a number of different eavesdropping models. 

On the theoretical side, Gilbert and Hamrick performed an extensive analysis of possible 
attacks on multi-photon pulses, including splitting, unambiguous state discrimination, and 
surreptitiously replacing the channel to Bob with a perfectly transparent one. In short, they 
selected a more formidable eavesdropping model than posited in the analyses of Bennett, 
Los Alamos, or IBM Almaden. Granting Eve such powers, they produced a much more 
conservative estimate of the amount of information Eve might gain. They also analyzed 
the optimum mean photon number in one specific scenario, an aircraft to a LEO satellite, 
and found it to be 0.455, although in this case they allow Eve less power than in a fiber 
link — specifically, she is not able to replace the channel with a lossless one. 

These differing estimates are further compared in section 5. 

3 Our Analytical Approach 

Our analysis, in the following section, is derived from a moderately detailed mathematical 
model of a full QKD system for use in telecommunications fiber, including both physical 
effects and the outcomes of higher level protocols, validated against two working systems in 
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the laboratory. This section briefly describes our working systems (the concrete subjects of 
analysis), then discusses the major elements in our analytic model. Appendix A contains the 
full text of the model. 

3.1 Functioning Systems for Quantum Cryptography 

BBN, Boston University, and Harvard University are currently building a large-scale quantum 
cryptography system, the DARPA Quantum Network, and fielding it into dark fiber in the 
Cambridge, Massachusetts metropolitan area. See for example O for details on this 
network and its design goals. Two interoperable QKD systems in the DARPA Quantum 
Network started 24x7 duty in October 2003; we call these 'Mark 2' systems because they 
replaced our first-generation link, which started continuous operation in December 2002. 
These systems were inspired by a pioneering Los Alamos system II and designed to run 
through telecommunications fiber as widely deployed today. 

Each Mark 2 system employs a highly attenuated telecommunications laser at 1550.12 
nm, phase modulation via unbalanced Mach-Zehnder interferometers, and thermo-electrically 
cooled InGaAs avalanche photo detectors (APDs). Most Mark 2 electronics are implemented 
by discrete components such as pulse generators. At present, incoming dim pulses are de- 
tected by Epitaxx EPM 239 AA APDs cooled to approximately -40 degrees Centigrade and 
gated during a pulse arrival period. Since custom cooling and electronics are required, we 
designed and built our own cooler package to maintain the APDs at the requisite operating 
temperatures. Even with this special treatment, they suffer considerably from low Quantum 
Efficiency (QE), relatively high dark noise, and serious after-pulsing problems. These cooled 
detectors form one of the most important bottlenecks in the overall system performance, as 
they require on the order of 10 /isec to recover between detection events. The overall link has 
been designed to run at up to 5 Mb/s transmit rate but with a dead-time circuit to disable 
the APD after a detection event in order to accommodate this recovery interval and suppress 
detector after-pulsing. 

BBN's QKD protocol stack is an industrial-strength implementation written in the C 
programming language for ready portability to embedded real-time systems. At present all 
protocol control messages are conveyed in IP datagrams so that control traffic can be conveyed 
via an internet. Two aspects of BBN's QKD protocol stack deserve special mention. First, it 
implements a complete suite of QKD protocols. In fact, it implements multiple "plug compat- 
ible" versions of some functions, e.g., it provides both the traditional BB84 sifting protocol 
and the newer "Geneva" style sifting It also provides a choice of entropy estimation 

functions including the well-known BBBSS92 estimates 0, Slutsky's defense frontier analy- 
sis JSl, and the newer Myers-Pearson estimate We expect to add additional options and 
variants as they are developed. Second, BBN's QKD protocols have been carefully designed 
to make it as easy as possible to plug in other QKD systems, i.e., to facilitate the introduction 
of QKD links from other research teams into the overall DARPA Quantum Network. 

3.2 Analytic Tools used in this Paper 

Over the past two years, we have developed a Matlab / Octave model to analyze the ex- 
pected efficiency of current and projected fiber-based QKD systems in the DARPA Quantum 
Network. The complete model is provided in Appendix A. Some aspects of the model have 
been derived from the QKD literature, but most have been developed from first principles. 
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Dr. John Myers of Harvard University has provided many of the equations in this model; the 
authors have provided the remainder. Of course the authors are solely responsible for any 
flaws in this published model. 

This model provides for a wide range of input parameters such as pulse rate, mean photon 
number at Alice, attenuation, detector efflciency, dark count, and after-pulsing characteristics, 
residual phase error in the Mach-Zehnder interferometers, and so forth. It also provides input 
parameters for higher layers of the QKD protocol stack, such as the sifting protocol employed, 
information revealed during error detection and correction, entropy estimation technique, etc. 
We briefly discuss these inputs, and the associated calculations, in the following paragraphs. 
Although the model provides basic estimates for a range of physical and protocol phenomena, 
it is by no means complete. For example, it does not include any characterization of stray 
light, of chromatic or polarization mode dispersion, and so forth. However, the current version 
of this model has been validated against our QKD systems running both through a flber spool 
in the laboratory and through a 17km fiber loop between BBN and Harvard University, and 
its results agree well with experimental measurement. Thus it appears to capture at least the 
most important drivers for realistic system behavior. 

As shown in Appendix A, the model inputs represent a fiber-based system with a 5 Mb/s 
pulse rate, 0.1 mean photon number (/i), operating through 10.55 km of telecommunications 
flber with an overall fiber attenuation of 2.5 dB. The average receiver loss factor is 10.4 dB, 
with a residual phase error in the Mach-Zehnder interferometers of 3 degrees after both passive 
and active path length stabilization. The path length stabilization and framing overhead 
results in a duty cycle of 80% for usable QKD bits. Detector efficiency is 13%, with mis- 
steered light occurring in 0.9% of the detections, and a dark count probability of 2.8 x 10~^ 
per pulse. At higher layers of the QKD protocol stack, the traditional BB84 sifting algorithm 
is modeled, with the BBN variant of the Cascade error detection and correction protocol using 
a block size of 4,096 bits with 64 sets, the traditional BBBSS92 j5j entropy estimate, and a 
residual confidence level (the probability that Eve has more information than estimated) of 
10~^. These values capture the current state of our QKD systems as of January 2004. 

It should be apparent from inspection of Appendix A that these parameters can be readily 
adjusted to model other flber-based systems, e.g., different detector characteristics, protocol 
behavior, and so forth. One could also extend the model to free-space systems, or systems 
based on pairs of entangled photons, but this would require that additional equations be 
added to the model rather than mere adjustment of input parameters. 

4 Eavesdropping Model and Defense Function 

The most critical factor driving an optimal choice of mean photon number is determining what 
sort of attacks Eve can employ. For intercept-resend attacks on the single-photon pulses, there 
is a fairly well-developed theory about how much privacy amplification is necessary (13t i4). For 
multi-photon pulses, a number of possible attacks have been proposed and analyzed [5l ll4l[T5] . 
but it is by no means clear that the list of possible attacks is complete yet ^B]. Many of 
the theoretically possible attacks are very far from practical implementation with current 
technology. 

Note that these assumptions about Eve's abilities must be built into the privacy amplifi- 
cation margin used in any working QKD system, so they are by no means idle questions. If 
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one wishes to deploy QKD securely, one must choose these assumptions carefully. Once we 
have chosen these assumptions and the privacy amplification formula, numerical optimization 
techniques can determine the optimal multi-photon probability. Therefore it is useful to ex- 
plicitly list a set of assumed capabilities for Eve for a given scenario, as the rates vary greatly 
depending on the assumptions. 

We must decide, for example, whether we wish to guard against an Eve possessing the 
capabilities listed in Table ^ Many research results assume that Eve possesses all these 
capabilities; for some papers it is difficult to determine exactly which capabilities are assumed. 



Table 1. Eavesdropping model used in this analysis. 



Eve Has? 


Potential Technological Capabilities for Eve 


/ 


Perfect detectors 


/ 


A perfect long-term quantum memory 


/ 


Adaptive beam-splitters, which split at most one photon from the 
signal fRl 


/ 


Reliable quantum non-domolition measurement of the total number 
of photons 




The ability to perform unambiguous state discrimination on pulses 
with 3 or more photons 




The ability to discriminate multi-photon pulses in intercept /resend 
attacks UJ 




The ability to substitute low or zero-loss fiber, or to perform quantum 
teleportation with small loss 



It is our belief, following Gisin, et al. jTj, that it is reasonable to guard against eaves- 
dropping that is currently feasible, or may be in the not-too-distant future, rather than make 
deployment infeasible by attempting to guard against theoretical attacks that may never be 
possible. Note, in particular, that near-perfect detectors, particularly if they can resolve the 
number of photons in a pulse, adaptive beam-splitters, or quantum non-demolition (QND) 
measurements can all give us a reliable way to build a true single-photon source, which would, 
in turn, render PNS attacks harmless. QKD is very likely to shift to true single-photon emit- 
ters long before we need to worry about an eavesdropper with a long-term quantum memory. 
It is one of the greatest virtues of QKD that, unlike classical cryptography, there is no risk 
that a future powerful adversary endangers our communications in the present. 

Accordingly, the check marks in Table ^ indicate which technology we assume Eve has 
for the purposes of this analysis, and for the current operation of our working QKD systems. 
We believe that these assumptions are reasonable for current scenarios, since many of the 
postulated technologies appear to be beyond today's current state of the art. 

Finally, given this explicit set of assumptions about Eve's current capabilities, one must 
select an entropy estimate used as input for privacy amplification. This entropy estimate 
includes Eve's information from intercept-resend attacks, called by Slutsky et al. the "defense 
function" 13 . Here we use results based on the original entropy estimate in BBBSS92, but our 
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analytic model explicitly calculates three different entropy estimates (BBBSS92 0, Slutsky 
Myers-Pearson 4 ). The choice of optimal mean photon number is very similar for all 
choices of entropy estimate. 

5 Results and Discussions 

Given all these assumptions, we can employ an analytic model (Appendix A) to calculate the 
optimal mean photon number (/i) over a range of scenarios. Recall that the "optimal" value 
is that which maximizes the delivery rate of distilled bits / second, i.e., optimizes across the 
system-wide effects of multi-photon emission probabilities, attenuation, dark noise, sifting, 
bits revealed during error detection and correction, and the necessary amount of privacy 
amplification. 

The model allows us to extrapolate system performance in a number of scenarios, e.g. if 
we had longer fibers, a faster pulse rate, or better detectors. In particular, we can analyze 
the effects of changing the mean photon number. In Figure ^ we vary only the mean photon 
number fj,, with all other parameters derived from one of our current QKD systems (with 
10.55 km of optical fiber between Alice and Bob). It is very apparent that the current mean 
photon number /z, approximately 0.1 photon, is far from optimal in this setting. Instead the 
mean photon number /i should be slightly more than 1 (about 1.15) to achieve the optimal 
distilled key rate. 
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Fig. 1. Distilled Key Rate as a Function of Mean Photon Number {fi) for a 10.55 km fiber link 
with 2.5 dB loss. 
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Another major objective in optimizing /i is to maximize the distance available for practical 
QKD over metropolitan fiber. Figure [5] shows how the distilled key rate varies with both fiber 
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length and ^, again given specific system characteristics (Appendix A) and the eavesdropping 
model of Section 4. 

As can be seen, the distilled key rate falls off dramatically with distance, and requires 
high values of /i for long distances. These specific results are driven by the relatively low 
quantum efficiency, and relatively high dark count, of our current InGaAs detector suite, but 
the phenomenon is more general. Larger /i naturally leads to more photons at the receiver, 
and correspondingly more raw key bits per second, but more importantly it keeps the valid 
detect rate high compared to receiver dark noise. Dark noise with a highly attenuating 
channel decreases the distilled rate in a very dramatic way because it translates directly into 
a higher error rate. The error detection and correction protocol, such as Cascade, then must 
reveal a substantial amount of information to correct the errors. Since it must be assumed, 
conservatively, that all these errors are due to eavesdropping, the estimate of the remaining 
entropy in the bits drops sharply. 

10000 r 




Mean photon number (/j) at Alice 

Fig. 2. Distilled Key Rate as a Function of Distance and Mean Photon Number (/x). 

Since many factors affect the distilled key rate, it is not surprising that there is not a 
single optimum value of ji to employ in all scenarios. However, for our systems, the optimum 
value does not vary by much. Figure |31 shows the optimum ^ for distances from zero to 50 
km. The optimum varies by less than 20%, from about 1 to 1.2. The peak of the key rate 
curve (Figure^ is rather broad, so choosing a value of 1.0, say, for /i seems to be applicable 
for a broad range of operating conditions. 

Since our estimates of the optimal mean photon number are quite different from conven- 
tional wisdom, careful review of the assumptions and calculations is in order. We believe 
that Bennett, Los Alamos, IBM Almaden, and this paper all employ similar eavesdropping 
models. This is important, because the eavesdropping threat model drives the calculations of 
optimal mean photon number. 

The main difference in our calculation from those of Los Alamos is as follows. They used, 
following Bennett et al., a fairly rough estimate for the fraction of detected pulses that are 
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Fig. 3. Optimal Mean Photon Number (/i) as a Function of Fiber Length. 



vulnerable to splitting. Bennett's (intentionally conservative) estimate was that Eve could 
learn a fraction fi of the bits through beamsplitting. This obviously would never allow /i = 1, 
since then Eve would learn all of the bits. But this is quite conservative indeed, since the 
fraction m of non-empty pulses that contain multiple photons (all of which we want to assume 
Eve intercepts) may be more precisely estimated by the Poisson distribution, 



m 



1 



1 



(1) 



This fraction m is close to fi/2 when fi is small, but diverges farther from /i at higher val- 
ues. Figure Ela) shows the effect of this difference between the estimates on distilled key 
rate for the specific scenario depicted in Figure ^ The estimate we use throughout this pa- 
per ("revised Bennett") is mN + \/2eTi^^{c)y^Nm{l — to) where m is defined above, and 
c = 10~^ is a confidence parameter, the residual probability that Eve might gain more infor- 
mation from multi-photon pulses. The original BBBSS92 5^ estimate ("original Bennett") is 
identical except for using m — /i.We are not the first to employ this revised estimate. Both 
Liitkenhaus jl7| and Gilbert and Hamrick |S) derive their results with the correct multipho- 
ton Poisson statistics, and indeed predict that for low loss and high efficiency detectors, the 
optimum efficiency is achieved for mean photon numbers greater than 1. Without much dis- 
cussion, the IBM Almaden results [5j included curves for the "revised Bennett" estimate as 
well as the "original Bennett" estimate for a range of detector efficiencies and channel losses, 
in a most interesting graph of the effect of on distilled key rate in other eavesdropping 
models, including those of [S] and |17j . These graphs showed that under some circumstances 
/i > 1 is optimal in these other models. 



10 On the Optimal Mean Photon Number for Quantum Cryptography 

Figure 0fb) shows the effect of using Gilbert and Hamrick's estimate , based on a more 
severe eavesdropping model. Since they allow Eve perfect unambiguous state discrimination 
attacks and zero-loss fiber, it is not surprising that their estimate results in a far lower key 
rate. 
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(a) Revising Bennett's calculation 
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(b) Effect of different eavesdropping models 



Fig. 4. The effect of different eavesdropping estimates on tfie distilled key rate as a function of /i 
for a 10.55 km fiber link with 2.5 dB loss. 



The threat model treated in this paper has been implicitly assumed in the eavesdropping 
estimates for multi-photon pulses provided by other research teams I51[71|S]. We believe it is 
a plausible threat model, given current technology, ft is, however, important to realize that 
with larger values of we are moving out of the "comfort zone" of these assumptions. Certain 
attacks that aren't readily feasible at small fi become easier at fi = 1. For example, Bennett 
et al. considered a special case of unambiguous state discrimination in |3] , splitting incoming 
pulses and measuring one portion in each basis. In some cases of 3 or more photon pulses, 
the measurement would result in both detectors firing in one basis and one firing in the other. 
When this happens. Eve can generate a new signal (close to Bob) without introducing any 
errors. For small values of /x, Bennett et al. concluded this attack was harmless. However, 
when n = 1 and with perfect detectors for Eve, this attack becomes feasible with a fiber loss 
of about 18 dB, corresponding to approximately 90km of fiber at 0.2 dB/km attenuation. ° 
Another attack examined by Gisin et al. ^ involves improving the odds of intercept/resend 
attacks by splitting the beam, measuring each half in a different basis, and using detectors 
that can determine the number of photons in the signal. In certain operating regimes (small 
fi or short fiber length) this attack is no better than traditional intercept/resend, and we may 
use the same defense function. However by changing the defense function appropriately (i.e. 
granting Eve more information for each error bit received), one can in fact operate safely with 
a larger mean photon number. For the operating configuration analyzed in this paper, the 
result is still an optimal value of w 1.1. 

'^For this analysis, we assume, following Gilbert and Hamrick |3, that Bob is watching for anomalously high 
numbers of double detections (when both detectors click). Without this precaution, Eve would be able to 
send more than single-photon signals to Bob after successfully determining the state, and the attack would 
be feasible if the total attenuation, including Bob's receiver, was 18dB. 
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6 Conclusions and Future Work 

In this paper we offer a detailed analytic model for an experimental, fiber-based quantum 
cryptographic system, and a set of reasonable assumptions about Eve's current technical 
capabilities. We explicitly model total system behavior ranging from physical effects to the 
results of quantum cryptographic protocols such as error correction and privacy amplification. 
We then derive the optimal photon number (/x) for this system in a range of scenarios. One 
interesting result is that /i w 1.1 is optimal for a wide range of realistic, fiber-based QKD 
systems; in fact, it provides about 10 times the distilled throughput of systems that employ 
a more conventional = 0.1, without any adverse affect on system security, given an explicit 
set of reasonable assumptions about Eve's current capabilities. 

This paper takes one more step in the ongoing exploration of optimal mean photon number 
for a realistic system. Looking ahead, careful specification of a whole range of eavesdropping 
threats, and necessary countermeasures, and of the quantitative effects of each potential threat 
model, will be required before QKD can be trusted in practice. Broadly accepted analysis of 
a wider range of eavesdropping techniques, under a range of technologies available to Alice, 
Bob, and Eve, is thus desirable. 
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Appendix A: Analytical Model 

y, File: model. m 

y. 

y, Description: Analytic model of QKD throughput 

y. 

y. Copyright (c) 2004 by BBN Technologies 

y. 

y, This is a Matlab / Octave model of the QKD throughput of a weak-coherent 
y, source using BB84 through fiber, given various parameters of the system, 
y Key parameters include: 



1 

y pulseRate — the repetition rate of the source, in Hz 

y, dutyCycle — portion of pulses for payload (vs. header, training) 

y, mpn — the mean photon number per pulse at Alice 

y, fiberLength — the length of fiber, in km 

y, fiberLoss — the attenuation of the fiber, in dB/km 

y, rxLoss — receiver loss, in dB (Myers eta_rec, as dB) 

y detEff{0,l} — detector efficiency, for each detector (eta_det) 
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detLecik{0 , l} — leakage of other's light into this detector (epsilon) 

pDark{0,l} — probability that detector fires w/ no light 

pAfter-[0,l} — probability pulse results in unsuppressed afterpulse 

residPhase — residual phase error, RMS, in radians 

blockSize — number of bits in block for EDAC / privacy amplify 

nEdacSets — number of subsets for EDAC 

estType — entropy estimate type ('Bennett', 'Slutsky', 'Myers') 

confidence — probability Eve has more information than estimated 

siftType — type of sifting ('BB84', 'SARG') 

eveChan — for PNS, Eve's multiplier on fiberLoss (0=perfect) 

This file defines typical values for these variables (which are all 
global variables) , and functions which use them to compute the rate 
of detects, errors, and finished bits. To try different scenarios, 
you can simply modify the global parameters and re-execute the function. 



global pulseRate dutyCycle mpn fiberLength fiberLoss rxLoss residPhase 
global detEffO detEffl detLeakO detLeakl pDarkO pDarkl pAfterO pAfterl 
global blockSize nEdacSets estType confidence siftType eveChan 



pulseRate = 5e6; 
dutyCycle = .8; 
mpn = . 1 ; 

fiberLength = 10.55; 
fiberLoss = .237; 
rxLoss = 10.4; 
residPhase = 3 * pi/180; 
detEffO = .117; 
detEffl = detEffO; 
detLeakO = .009; 
detLeakl = detLeakO; 
pDarkO = 2.8e-5; 
pDarkl = pDarkO; 
pAfterO = .001; 
pAfterl = pAfterO; 

blockSize = 4096; 
nEdacSets = 64; 
estType = 'Bennett'; 
confidence = le-6; 
siftType = 'BB84' ; 

eveChan = 0; 



% Alice-Bob link runs at 5MHz 
y. Measured duty cycle 

7, Target value (was calibrated recently) 

Length of fiber spool, in km 
7. dB/km for spool, if total = 2.5dB 
7. measured loss (dB, average over all paths) 
7. not measured recently 
7. from analysis of data 



7o SW/HW suppression should keep this quite low 



7i Configured min (average slightly higher) 
7i Configured 
7o Configured 
7. Hard-wired 
7o Configured 

7o Assime Eve has perfect fiber 



7. sourceRate — the raw rate of symbols at the source (not counting 
7. attenuation) 



function r = sourceRate 

global pulseRate dutyCycle 
r = pulseRate * dutyCycle; 
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endf unction 

y. Utility function to compute the probability of the union of a number of 
7. independent events 

function p = probOr (varargin) 

p = 1; 

for i = (l:nargin) 

p = p * (l-varargin{i}) ; 
endf or 
p = 1 - p; 
endf unction 

7, Here we estimate the probability of the different kinds of detections, and 
7. turn those probabilities into the sifted rate and QBER. 

7. 

7. pmCorr = probability that correct detector fires when bases match 

7» pmlncorr = probability that incorrect detector fires when bases match 

7. pwDetect = prob that detector fires when bases wrong (same for both DO & Dl) 

function [rate, qber] = siftedRate 

global mpn fiberLength fiberLoss rxLoss residPhase 

global detEffO detEffl detLeakO detLeail pDarkO pDarkl pAfterO pAfterl 
pDark = (pDarkO + pDarkl) / 2; 

e = (detEffO*detLeakO + detEf f l*detLeakl) / (detEffO + detEffl); 

atten = . 1" ( . 1* (f iberLength*f iberLoss + rxLoss)); 

c = (detEffO+detEff l)/2 * mpn * atten / (1+detLeakO+detLeakl) ; 

pwDetect = probOr (pDark, l-exp(-c*(e + .5))); 

pAfter = pwDetect * (pAfterO + pAfterl) / 2; 

pwDetect = probOr (pwDetect, pAf ter) ; 

pmCorr = probOr (pDark, pAfter, l-exp(-c*(e + cos(residPhase/2)"2))) ; 
pmlncorr = probOr (pDark, pAfter, l-exp(-c*(e + sin(residPhase/2)*2))) ; 
pmValid = probOr (pmCorr, pmlncorr); 
rate = pmValid / 2 * sourceRate; 
qber = (pmlncorr - pmCorr*pmIncorr) / pmValid; 
endf unction 

7o EDAC overhead — this is for the amount of extra information revealed, 

7o per bit, given the error rate. This is specifically for the BBN variant of 

7 Cascade, other protocols are likely to differ slightly. This also 

7. represents an average, over many blocks of slightly varying size and 

'/, error rate. The estimate does not include the error bits themselves. 

function ovhd = EDACoverhead (qber) 
global nEdacSets blockSize 

ovhd = qber* (l-log2 (qber)) + nEdacSets / blockSize; 
endf unction 

7. entropyEstimate — this applies the specific entropy estimate chosen 
7 and then turns it into a fraction of the sifted bits. The entropy 
7 estimate here is the information Eve may be assumed to have derived 
7 from eavesdropping on the single-photon pulses, there is a separate 
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% function for splitting multi-photon pulses. 
•/. 

% It can be tricky to compare estimates because of differing assumptions. 
7. The entropy derived in Bennett's paper (BBBSS92) refers to the entire 
7. key string, including error bits — they are kept in the string and 
7o accounted for as revealed information during error correction. The other 

70 estimates derive entropy on the non-error bits. In these functions, 

71 we standardize on Eve's entropy on the non-error bits. 
t 

7o We also explicitly subtract the privacy amplification overhead in the 
7. estimates, since this is different for the Myers-Pearson estimate (it 
7. uses Renyi order < 2) . 

fimction est = entropyEstimate (qber) 

global estlype blockSize confidence 
b = blockSize; 
e = qber*b; 
switch (estType) 
case 'Bennett' 

est = bennett(b,e,conf idence) ; 
case 'Slutsky' 

est = slutsky(b,e,conf idence) ; 
case ' Myers ' 

est = myers(b,e,conf idence) ; 
otherwise 

err or (' Unknown entropy estimate type 7«s' , estType) ; 

end 

est = est/blockSize ; 
endf unction 

function est = bennett(b,e, confidence) 
t = 2.828427*e; 

dev2 = 6.828427*e; 

confl = sqrt(2) * erf inv(l-conf idence) ; 
est = b - e - t - conf l*sqrt (dev2) ; 
est = est + 2*log2(conf idence) ; 
endf unction 

function est = slutsky (b, e , conf idence) 
confl = erf inv(l-conf idence) ; 
eprime = min(e / b + confl / sqrt(2*b), 1/3); 
t = (1 - 3*eprime) / (1 - eprime) ; 
t = (1 + 1.442695*log(l - 0.5*t*t)) * (b-e) ; 
dev2 = (b-e)/2; 

est = b - e - t - conf l*sqrt(dev2) ; 
est = est + 2*log2 (conf idence) ; 
endf unction 

7. estimatePNSbits — how many bits to discard because of "undetectable" 
7» eavesdropping, i.e. photon-number splitting attacks or unambiguous state 
7. discrimination (PNS or USD). This version is essentially Bennett's 
7o with a more accurate expression for multi-photon pulses. We assume 
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that in all multi-photon pulses, one is captured by Eve and stored imtil 
7. the bases axe annoimced. 

fimction mpdisc = estimatePNSbitsCsif t) 
global mpn detEffO detEffl rxLoss 

pO = exp(-mpn) ; 
pi = pO*mpn; 
p2x = 1-pO-pl; 
m = p2x / (pl+p2x) ; 
mpdisc = m * sift; 
endf unction 

7, estimatePNSgh — Gilbert & Hamrick's estimate of Eve's information from 
% "undetectable" eavesdropping 

function mpdisc = estimatePNSgh(sif t) 

global fiberLength fiberLoss mpn detEffO detEffl rxLoss eveChan 

pO = exp(-mpn) ; 

pi = pO*mpn; 

p2 = pl*mpn/2; 

p2x = 1-pO-pl; 

s2 = sqrt(2) ; 

y = .l'(.l*(fiberLength*fiberLoss*eveChan + rxLoss)) * (detEff 0+detEff l)/2; 

ml = p2x - l/(l-y)*(exp(-mpn*y)-exp(-mpn)*(l+mpn*(l-y))) ; 

m2 = p2*y + 1 - exp(-mpn)*(s2*sinh(mpn/s2)+2*cosh(mpn/s2)-l) ; 

m3 = p2*y + exp(-mpn)*(sinh(mpn)-s2*sinh(mpn/s2) ) ; 

p2k = p2; 

for k = (2:20) 

p2k = p2k * mpn * mpn / (k*(4*k-2)); 

m3 = m3 + p2k*max(l-(l-y) " (2*k-l) , 1-2" (1-k) ) ; 
endf or 

m = max( [ml ,m2,m3] ) ; 

mpdisc = m * sourceRate / 2; 

endf unction 

7, estimatePNSb — Bennett, et al.'s estimate for Eve's information from 
"undetectable" eavesdropping (BBBSS92) 

function mpdisc = estimatePNSb(sif t) 

global mpn 

mpdisc = sift*mpn; 
endf unction 

7, distilledRate — this is the final answer, number of distilled bits per 
% second. 

function rate = distilledRate 
global confidence 
[sift, qber] = siftedRate; 
ovhd = EDACoverhead(qber) ; 
ent = entropyEstimate(qber) ; 
mpd = estimatePNSbits(sift) ; 
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mpd = mpd + sqrt(2)*erfinv(l-confidence) * sqrt (mpd* (1-mpd/sif t) ) ; 
rate = max (sift* (ent-ovhd) - mpd, 0); 
endfvmction 

7. Myers/Pearson entropy estimate 

y. 

y. First we find the probability p for which the first k terms of the binomial 
y, distribution binom(n, i)*p~i* (1-p) ~ (n-i) svun up to 'confidence', the 
% probability that we're wrong. 

y. 

y. Then, given this probability, p, the best conditional probability of Eve 
y. correctly guessing a bit is: 

y. 

y. pe = .5 + sqrt( p/(l-p) * (1 - p/(l-p)) ) 

y. 

y, Then Eve's least Renyi entropy (order R) for the n-k non-error bits is: 

y. 

y. h(R) = (n-k)/(l-R) * log2(pe'R + (l-pe)'R) 

y. 

y Now from Cachin's paper (Smooth Entropy and Renyi Entropy), theorem 8, 
y, we know that the amount of smooth entropy (which we can feed into privacy 
y, amplification) is at least : 

y. 

y. h(R) - log2(m+l) - r/(R-l) - t - 2 

y 

y, where m-log2(m+l) = n+t, and 2* (-r)+2~ (-t) = confidence. 
t 

y If we ignore the negligible effect of t on the value of log(m) , the optimal 
y values of r and t are: 

y. 

% r = log2(R/conf idence) 

y. t = log2(R/((R-l)*conf idence)) 

y 

y, and the value of m is approximately: 

y. 

y. m = n + t + log2(n+t+l) 

y, or m = n + t + log2(n+t+l+log2(n+t+l+log2(n+t+l))) etc. 

y 

y In our internal function, we negate this, so we can minimize. 

function h = myers_neg_renyi_entropy (r) 

global myers_n myers_k myers_conf idence myers_pe 

h = (myers_n - myers_k) / (1-r) * log2(myers_pe"r + (l-myers_pe) ~r) ; 
t = log2(r/ ( (r-1) *myers_conf idence) ) ; 

h = h - log2(myers_n+t+l+log2(myers_n+t+l+log2(myers_n+t+l))) ; 
h = h - log2(r/myers_conf idence) /(r-1) - t - 2; 
h = -h; 
endf unction 

y Another internal function — the sum of the first myers_k terms of the 
y» binomial distribution, minus myers_conf idence (so we can find a zero) 
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function s = myers_binomtail (p) 

global myers_n myers.k myers_conf idence 

kl = myers_k; 

k2 = myers_n-myers_k; 

if (kl > k2) 

kl = k2; 

k2 = myers_k; 
endif 

'/, Compute the highest term, then go backwards 

if (kl*log(myers_n) < 200) 
7. exact if < 10'86 
1 = 1; 

for i = l:kl 

1=1* (myers_n-i+l) / i; 
endf or 

t = 1 * p~myers_k * (1-p) ~ (myers_n-myers_k) ; 

else 

y. otherwise use Stirling's approximation 

kl = kl+1; 

k2 = k2+l; 

nl = myers_n+l ; 

1=1- .5*log(2*pi) ; 

1=1+ (l/(nl) - l/(kl) - l/(k2)) / 12; 
1=1- (l/(nl)-3 - l/(kl)-3 - l/(k2)-3) / 360; 
1=1+ (l/(nl)-5 - l/(kl)-5 - l/(k2)-5) / 1260; 
1=1+ (nl-.5)*log(nl) - (kl-.5)*log(kl) - (k2- . 5) *log(k2) ; 
t = expd + myers_k*log(p) + (myers_n-myers_k) *log(l-p) ) ; 
endif 

Now loop back to the beginning, but exit if we stop changing sum 

s = t - myers_conf idence ; 
for kl = (myers_k-l : -1 : 0) 

t = t * (kl+1) * (1-p) / (p * (myers_n-kl)) ; 

si = s + t; 

if si == s 
break 

endif 

s = si; 
endf or 
endf unction 

fimction entropy = myers(n,k, confidence) 

global myers.n myers.k myers_conf idence myers_pe 

'/, Approximate starting point 

p = 1 - InvBetaApprox(n-k,k, confidence) ; 
myers_n = n; 
myers.k = k; 
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myers_conf idence = confidence; 

°/« Solve for probability p, and compute Eve's probability of guessing 

p = f zero( 'myers_binomtail' ,p) ; 
p = min(p,l/3) ; 

myers.pe = .5 + sqrt( p/(l-p) * (1 - p/(l-p)) ); 
7. Maximize entropy measure over Renyi order R 
r = fminbndC 'myers_neg_renyi_entropy ' , 1 . 01 , 2) ; 
y. Return the maximized entropy 

entropy = -myers_neg_renyi_entropy (r) ; 

endf unction 

% Abramowitz and Stegxm approximation for the inverse of the incomplete 
% Beta function 

function v = InvBetaApprox(a,b,p) 
y = sqrt(2) * erf inv(l-2*p) ; 
1 = y*y/6 - .5; 
al = l/(2*a-l); 
bl = l/(2*b-l); 
h = 2/(al+bl) ; 

w = y*sqrt(h+l)/h - (bl-al) * (1+5/6-2/ (3*h) ) ; 
V = a/(a+b*exp(2*w)) ; 
endf unction 



